Effective Date:

Implementation History:

Keywords:

Background Information:

Purpose

To define the college’s data classification categories consistent with the minimum standards for the classification level as described in related information security standards, procedures, and guidelines.

Definitions

Category I: This is protected data with high/medium risk from disclosure. This category covers personally identifiable data that includes information whose unauthorized access or loss could seriously or adversely affect the college; an authorized contract partner, specific individuals or the public. This data is subject to state or federally mandated protections, as well as industry rules and regulations.

Category II: This is internal use data with medium/low risk from disclosure. This category covers nonpublic, internal use information that is not subject to state or federally mandated protections.

Category III: This is all public data, which has no risk from disclosure.

Data Consumers/Users: Employees or agents of the college who access enterprise data in performance of their assigned duties.

Data Custodians: College officials and their staff who have operational-level responsibility for the capture, maintenance, dissemination, and storage of enterprise data.

Data Stewards: College administrators whose areas have responsibility for managing a segment of the college’s enterprise data resources.

Enterprise Data:Enterprise data is a subset of the college’s information resources and administrative records and includes any information in print, electronic, or audio-visual format that meets the following criteria:

Acquired and/or maintained by college employees in performance of official administrative job duties;

Created or updated via use of a college enterprise system or used to update data in an enterprise system;

Relevant to planning, managing, operating, or auditing a major function of the college;

Referenced or required for use by more than one organizational unit; and

Included in official administrative reports or official college records.

Statements

This policy applies to all members of the college’s community as well as to external vendors and contractors who receive and maintain collections of college enterprise data.

Enterprise Data Classification and Security Controls Requirements

All enterprise data stored on college systems, or non-college owned resources where college business is transacted, must be classified into one of the three categories defined by this policy and detailed below in the classification matrix. Based on this matrix, data stewards, data custodians, and data consumers/users are required to implement appropriate administrative, technical, and physical controls to protect the data in keeping with the classification of that data.

When information from multiple classifications is co-located on the same system without effective means of isolation, or within the same repository, database, archive, or record, the minimum-security controls of the category representing the highest risk must be applied. As an example, if names and social security numbers were included in meeting minutes, then Category I protections would be required for that document.

These requirements exist in addition to all other college policies and federal and state regulations governing the protection of enterprise data. Compliance with this requirement alone will not ensure that data will be properly secured. Rather, data classification should be considered an integral part of a comprehensive information security plan.

Note: Consistent with the notion of incidental use (use of college resources such as email not directly related to job duties), personal data belonging to employees stored on a college resource is not considered enterprise data.

Classification Matrix

(Examples are not an exhaustive list of the classification’s data.)

Data Classification

Disclosure Risk

Definition

Examples

Category I:

Protected Data

High/Medium

Personally Identifiable data includes information whose unauthorized access or loss could seriously or adversely affect SUNY Empire State College; an authorized, contracted partner; specific individuals, or the public. Security breaches of this information are subject to the NY State Information Security and Breach Notification Act and other federal, state, and industry rules and regulations.

Regulated data includes information subject to Family Educational Rights and Privacy Act (FERPA) or other federal, state, or business regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Red Flags Rule) that require specific levels of protection to prevent its unauthorized modification or use.

Statutory Data

Social Security Number

Driver's License Number

Department of Motor Vehicle State-issued Non-drivers ID Number

Bank/Financial Account Number

Credit/Debit Card Number

Electronic Protected Health Information-HIPAA

FERPA-protected data

Gramm Leach Bliley Act (GLBA) data and other data protected by law or regulation

Category II includes non-public, internal use information that is not subject to state or federally mandated protections.

This includes data exempt from disclosure in NY State’s Freedom of Information Law (FOIL), as well as information that would normally require a FOIL request for public release.

Other HR Employment Data

Law Enforcement Post

Investigation Data

Public Safety Information

IT Infrastructure Data

Collective Bargaining/Contract Negotiation Data

Trade Secret Data

Protected Data Related to Research

College Intellectual Property

College Proprietary Data

Data protected by non-disclosure agreements

College Financial Data

Empire State College Employee ID

Meeting Minutes

Administrative process data

Data about decisions that affect the public

Licensed Software

Inter- or Intra-Agency Data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination; external audit data

Category III:

Public Data

None

All public data

General access data, such as that on unauthenticated portions of esc.edu

Information Security Roles and Responsibilities

The Data Governance committee will be responsible for reviewing and updating this policy as necessary. This committee shall be composed of the appropriate people from Enterprise Systems and Infrastructure (ESI), as well as from compliance, and data governance.

Enterprise Systems and Infrastructure (ESI)

A team from ESI will approve how enterprise data is stored, processed and transmitted by the college and by third-party agents of the college. This approval will be handled through review of data flow documentation maintained by a data custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how enterprise data is or will be stored, processed and transmitted.

Data Steward

Data stewards are college administrators whose areas have responsibility for managing a segment of the college's enterprise data resources. Responsibilities of a data steward include the following:

Determining the appropriate criteria for obtaining access to enterprise data - A data steward is accountable for who has access to enterprise data. This does not imply that a data steward is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a data custodian in conjunction with Information Technology Services (ITS). A data steward may decide to review and authorize each access request individually or a data steward may define a set of rules that determine who is eligible for access based on business function, support role, etc. These rules should be documented in a manner that allows little or no room for interpretation by a data custodian. If no rule is present for a data set, the data custodian must consult the steward of the data before granting access or releasing data.

Understanding how enterprise data is stored, processed and transmitted by the college and by third party agents of the college - While the ESI team is responsible for approving how enterprise data is stored, processed and transmitted based on SUNY's Information Security policy, it is important for the data steward to understand these important standards in order to ensure reasonable and appropriate security controls are implemented. This can be accomplished through review of data flow documentation maintained by a data custodian. In situations where enterprise data is being managed by a third party, the contract or service level agreement should require documentation of how data is or will be stored, processed and transmitted.

Understanding risk tolerance and accepting or rejecting risk related to security threats that impact the confidentiality, integrity and availability of enterprise data - Information security requires a balance between security, usability and available resources. Risk management plays an important role in establishing this balance. Understanding what classifications of data are being stored, processed and transmitted will allow data stewards to better assess risks. Understanding legal obligations and the cost of non-compliance will also play a role in this decision-making. Both the information security team and SUNY counsel can assist data stewards in understanding risks and weighing options related to data protection.

Understanding how enterprise data is governed by college policies, state and federal regulations, contracts and other legally binding agreements - Data stewards should understand whether or not any college policies govern their enterprise data. Data stewards are responsible for having a general understanding of legal and contractual obligations surrounding enterprise data. SUNY counsel and the SUNY Information Security policy can assist data stewards in gaining a better understanding of legal obligations.

Data Custodian

A data custodian is an employee of the college who has operational responsibility over enterprise data. In many cases, there will be multiple data custodians. An enterprise application may have teams of data custodians, each responsible for varying functions. A data custodian is responsible for the following:

Understanding and reporting on how enterprise data is stored, processed and transmitted by the college and by third-party agents of the college - Understanding and documenting how enterprise data is being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate data steward. Transmitting, storing and processing of data should be in conjunction with ITS.

Implementing appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of enterprise data - ESI will implement reasonable and appropriate security controls for the classifications of data. Contractual obligations, regulatory requirements and industry standards also play in important role in implementing appropriate safeguards. Data custodians should work with data stewards to gain a better understanding of these requirements. Data custodians should also document what security controls have been implemented and where gaps may exist in current controls. This documentation should be made available to the appropriate data steward.

Documenting and disseminating administrative and operational procedures to ensure consistent storage, processing and transmission of enterprise data - Documenting operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data custodians should document as many repeatable processes as possible. This will help ensure that college data is handled in a consistent manner. This will also help ensure that safeguards are being effectively leveraged.

Provisioning and de-provisioning access to enterprise data as authorized by the data steward - Data custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate data steward. As specified above, standard procedures for provisioning and de-provisioning access should be documented and made available to the appropriate data steward.

Understanding and reporting on security risks and how they impact the confidentiality, integrity and availability of enterprise data - Data custodians should have a thorough understanding of security risks impacting their enterprise data. Security risks should be documented and reviewed with the appropriate data steward so that the steward can determine whether greater resources need to be devoted to mitigating these risks. The ESI team can assist data custodians with gaining a better understanding of their security risks.

Data Consumer/User

A data consumer/user is a person that has been authorized access to specific enterprise data. Data consumers/users are required to abide by all data classification rules defined by both this policy the data custodian.

In the Event of a Breach

If a data steward, data custodian or data consumer/user discovers a security breach of any kind it must be immediately reported to the technology service desk in ITS. The ESI team will take immediate action to mitigate the breach and begin forensic discovery to determine its cause.

Violation of this Policy

Violations of this policy by employees or students may result in immediate suspension or revocation of information technology resources privileges and/or disciplinary action. Additionally, violations of state and/or federal laws in the use of the enterprise data may also result in criminal prosecution and/or civil liability.